Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support to prevent against Cross Site Script Inclusion (XSSI) attacks #158

Closed
jeevatkm opened this issue Apr 5, 2018 · 1 comment
Assignees
Labels
Projects

Comments

@jeevatkm
Copy link
Member

@jeevatkm jeevatkm commented Apr 5, 2018

Goal is to prevent against Cross Site Script Inclusion (XSSI) attacks on JSON response payload aka JSON vulnerability.

XSSI attack is only successful if the returned JSON response is executable as JavaScript.

aah can add an option to prevent an attack by prefixing JSON response to make them non-executable.

Action Items:

  • Add method JSONSecure on Reply() builder
  • Make prefix configurable from aah.conf, default prefix value to )]}',\n
  • Add documentation
@jeevatkm jeevatkm added this to Backlog in aah Roadmap Apr 5, 2018
@jeevatkm jeevatkm moved this from Backlog to v0.11.0 - Iteration in aah Roadmap Apr 5, 2018
@jeevatkm jeevatkm added this to the v0.11.0 Milestone milestone Apr 6, 2018
@jeevatkm jeevatkm moved this from v0.11.0 - Iteration to v0.11.0 - In Progress in aah Roadmap Apr 12, 2018
@jeevatkm jeevatkm self-assigned this Apr 13, 2018
jeevatkm added a commit that referenced this issue Apr 14, 2018
…SI) attacks (#169)
jeevatkm added a commit to go-aah/docs that referenced this issue Apr 14, 2018
@jeevatkm

This comment has been minimized.

Copy link
Member Author

@jeevatkm jeevatkm commented Apr 14, 2018

Done 😄

@jeevatkm jeevatkm closed this Apr 14, 2018
aah Roadmap automation moved this from v0.11.0 - In Progress to v0.11.0 - Completed Apr 14, 2018
jeevatkm added a commit to go-aah/tools that referenced this issue Apr 14, 2018
jeevatkm added a commit to go-aah/app-templates that referenced this issue Jul 4, 2018
@jeevatkm jeevatkm moved this from v0.11.0 - Completed to Released to Audience in aah Roadmap Jul 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
aah Roadmap
  
Released to Audience
1 participant
You can’t perform that action at this time.